Have you ever opened an email attachment that looked like a PDF but was actually a malware-laden Word document? Hackers are increasingly employing “MalDoc in PDF” to deliver malware without detection by anti-virus solutions.
This page will define MalDoc in PDF, describe how it operates, and provide suggestions for avoiding potential harm. We will also address malware protection and identifying and avoiding hazardous materials.
What is MalDoc in PDF, and How Does It Work?
JPCERT defines “MalDoc in PDF” as a new attack vector in which fraudsters incorporate malware-infected Microsoft Word documents into PDF files and propagate them.
In reality, PDFs are polyglots, or files that use more than one file type. In this instance, the hackers are using PDF and Word documents. Depending on the software that opens them, these files may be handled as many file types.
If you open the file with a PDF viewer, it will look like any other document. However, opening it in Microsoft Word will activate a VBS macro that downloads and installs MSI malware.
A VBS macro may create or change files on your computer. The Microsoft installation (MSI) file may install new applications or upgrades on your PC.
The hackers behind this attempt are taking advantage of most antivirus systems to scan PDF files as PDFs even when viewed as Word documents. By doing this, they are able to successfully distribute their malicious payload without the security program’s notice.
Since its discovery in July 2021, this technique has been used to propagate ransomware, malware, and trojans.
How to Spot and Avoid MalDoc in PDF
One of the most popular ways hackers infect computers with malware is via malicious documents. Users are tricked into accessing or downloading these files by social engineering methods, including phishing emails and sham websites.
Malicious documents might be hard to recognize, but these signs may help:
- The sender’s email address or domain name is unfamiliar, suspicious, or spoofed.
- The email subject or message is vague, urgent, or contains spelling or grammatical errors.
- The attachment name or extension is unusual, mismatched, or double-extensioned (e.g., invoice.pdf.docx).
- The attachment size is too large or too small for the expected content.
- The attachment icon or preview does not match the expected file type.
- The attachment asks you to enable macros, editing, or content when opened.
Do not open or download the file if you see any of these warnings. You should ignore it and either report it as spam or delete it. Contacting the sender via phone or text message is another option for establishing their authenticity.
How to Protect Your Devices and Data from Malware
Even if you avoid malicious papers, compromised websites, portable devices, and network sharing may spread malware.
As a result, you should safeguard your devices and data against malware assaults by doing things like:
- Keep your operating system and applications updated with the latest security patches.
- Use a reputable antivirus program and keep it updated with the latest virus definitions.
- Scan your devices regularly for malware infections and remove any suspicious files or programs.
- Use strong passwords and change them frequently for your online accounts and devices.
- Enable multi-factor authentication for your online accounts and services, especially for those that contain sensitive or personal information.
- Avoid using public or unsecured Wi-Fi networks or devices, and use a VPN service if you have to.
- Back up your important data regularly to an external drive or a cloud service, and encrypt it if possible.
- Educate yourself and others about the latest cyber threats and how to avoid them.
A polyglot file is a file that contains two or more different file formats. For example, a file that can be both a PDF file and a Word document
Hex editors can show raw file data, therefore, opening the PDF file with one can inform. The string “PK” at the beginning of the file indicates a ZIP archive including a Word document.
Cybercriminals employ MalDoc in PDF to hide malicious Microsoft Word documents in legitimate PDFs and circumvent security software. Polyglots trick victims into opening PDF files in Microsoft Word, which runs a VBS macro that installs malware.
Avoiding dangerous documents and utilizing a mix of security measures may protect your devices and data against this and other viruses.
We hope this post has clarified what MalDoc in PDF is and how to avoid being infected with it. Feel free to ask questions or make observations in the space provided.